Or you could just check if request.getMethod().equals("POST")
(*Chris*)
On Wed, Sep 29, 2010 at 10:11 AM, Maurizio Cucchiara <
[email protected]> wrote:
> Hi,
> you could obtain session id through session.getId() and put it inside
> the form as hidden field, after you could verify the correctness.
>
> did I answer your question?
>
> Maurizio Cucchiara
>
>
>
> 2010/9/29 Orpu <[email protected]>:
> >
> > Hi All,
> >
> > My application is developed using struts framework. Where it takes user
> id
> > and password at the time of login and goes to next page. I am using
> > method="POST" when i am invoking action class as below.
> > [b]
> > <html:form action="/login.do" method="POST">
> >
> > Basically i dont have any problem when i am logging after giving user id
> and
> > password.
> >
> > But i am having security concerns when i am sending user id and password
> in
> > url as below
> >
> >
> http://localhost:8080/SecurityTest/login.do?userId=sss&password=sss&step=Login
> >
> > With the use of above url in the browser is successfully taking me to the
> > next page.
> >
> > Can any one please help me. How to protect application in this scenario.
> >
> > I tried to solve this issue by definig security - constriants in web.xml
> > file as below
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Protected Area with
> GET</web-resource-name>
> > <url-pattern>*/login.do</url-pattern>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> > <auth-constraint/>
> > </security-constraint>
> > One more thing i should not put restrictions to other GET methods which
> were
> > in the entire application. I should only restrict at the time of loging.
> >
> > I know the url-pattern that i am using may resolve this issue. But what
> is
> > the correct pattern i have to use.
> >
> > Please help me.
> >
> > Thanks
> > Raj
> > --
> > View this message in context:
> http://old.nabble.com/Security-Issue-with-GET-method-tp29838122p29838122.html
> > Sent from the Struts - Dev mailing list archive at Nabble.com.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
